SlideShare a Scribd company logo

NIST Cybersecurity Framework (CSF) 2.0: What has changed?

ā€¢
ā€¢
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

NIST Cybersecurity Framework (CSF) 2.0: What has changed?

Technology
1 of 31
Download to read offline
NIST CSF 2.0: What has changed? by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 www.patreon.com/AndreyProzorov 2.0, 02.03.2024
Agenda 2 1. Journey To CSF 2.0 2. New Title 3. New Scope 4. What is the Framework? 5. Desired outcomes 6. Components of the Framework 7. Purpose 8. The new function (Govern) and changes in Categories and Subcategories 9. Framework Profiles 10. CSF Tiers: New criteria 11. Steps for Creating and Using Profiles 12. Other publications 13. NIST CSF 2.0 Mindmap 14. Significant Updates 15. NIST CSF 2.0 vs ISO 27001:2002 16. NIST CSF 2.0 and ISO 27001:2022 (mapping) 17. EU NIS 2 Directive and NIST CSF 2.0 (mapping)
3 www.nist.gov/cyberframework
4 Why is NIST deciding to update the Framework now toward CSF 2.0? The NIST Cybersecurity Framework was intended to be a living document that is refined, improved, and evolves over time. These updates help the Framework keep pace with technology and threat trends, integrate lessons learned, and move best practice to common practice. NIST initially produced the Framework in 2014 and updated it in April 2018 with CSF 1.1. Based on stakeholder feedback, in order to reflect the ever-evolving cybersecurity landscape and to help organizations more easily and effectively manage cybersecurity risk, NIST is working on a new, more significant update to the Framework: CSF 2.0. www.nist.gov/cyberframework/updating-nist-cybersecurity-framework- journey-csf-20
5
6 https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final
7 New Title CSF 1.1 CSF 2.0 Framework for Improving Critical Infrastructure Cybersecurity The NIST Cybersecurity Framework 2.0
8 New Scope (wider) NIST CSF 2.0 is designed to be used by organizations of all sizes and sectors, including industry, government, academia, and nonprofit organizations, regardless of the maturity level of their cybersecurity programs. The CSF is a foundational resource that may be adopted voluntarily and through governmental policies and mandates. The CSFā€™s taxonomy and referenced standards, guidelines, and practices are not country-specific, and previous versions of the CSF have been leveraged successfully by many governments and other organizations both inside and outside of the United States.
9 What is the Framework? The Cybersecurity Framework (CSF) 2.0 is designed to help organizations of all sizes and sectors ā€” including industry, government, academia, and nonprofit ā€” to manage and reduce their cybersecurity risks. It is useful regardless of the maturity level and technical sophistication of an organizationā€™s cybersecurity programs. Nevertheless, the CSF does not embrace a one-size-fits-all approach. Each organization has both common and unique risks, as well as varying risk appetites and tolerances, specific missions, and objectives to achieve those missions. By necessity, the way organizations implement the CSF will vary. Current revision: 2.0, February 26, 2024
10 Desired outcomes Ideally, the CSF will be used to address cybersecurity risks alongside other risks of the enterprise, including those that are financial, privacy, supply chain, reputational, technological, or physical in nature. The CSF describes desired outcomes that are intended to be understood by a broad audience, including executives, managers, and practitioners, regardless of their cybersecurity expertise. Because these outcomes are sector-, country-, and technology-neutral, they provide an organization with the flexibility needed to address their unique risks, technologies, and mission considerations. Outcomes are mapped directly to a list of potential security controls for immediate consideration to mitigate cybersecurity risks.
11 Components of the Framework (CSF 2.0) NIST CSF 2.0 includes the following components: ā€¢ CSF Core, the nucleus of the CSF, which is a taxonomy of high-level cybersecurity outcomes that can help any organization manage its cybersecurity risks. The CSF Core components are a hierarchy of Functions, Categories, and Subcategories that detail each outcome. ā€¢ CSF Organizational Profiles, which are a mechanism for describing an organizationā€™s current and/or target cybersecurity posture in terms of the CSF Coreā€™s outcomes. ā€¢ CSF Tiers, which can be applied to CSF Organizational Profiles to characterize the rigor of an organizationā€™s cybersecurity risk governance and management practices. Tiers can also provide context for how an organization views cybersecurity risks and the processes in place to manage those risks.
12 Purpose (CSF 2.0) An organization can use the CSF Core, Profiles, and Tiers with the supplementary resources to understand, assess, prioritize, and communicate cybersecurity risks. Understand and Assess Prioritize Communicate Describe the current or target cybersecurity posture of part or all of an organization, determine gaps, and assess progress toward addressing those gaps. Identify, organize, and prioritize actions for managing cybersecurity risks that align with the organizationā€™s mission, legal and regulatory requirements, and risk management and governance expectations. Provide a common language for communicating inside and outside the organization about cybersecurity risks, capabilities, needs, and expectations.
13 The new function (Govern) and changes in Categories and Subcategories
14 CSF 1.1 CSF 2.0 - Govern (GV): The organizationā€™s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored. Identify (ID): Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Identify (ID): The organizationā€™s current cybersecurity risks are understood. Protect (PT): Develop and implement appropriate safeguards to ensure delivery of critical services. Protect (PT): Safeguards to manage the organizationā€™s cybersecurity risks are used. Detect (DE): Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. Detect (DE): Possible cybersecurity attacks and compromises are found and analyzed. Respond (RS): Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. Respond (RS): Actions regarding a detected cybersecurity incident are taken. Recover (RC): Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. Recover (RC): Assets and operations affected by a cybersecurity incident are restored.
15 CSF 1.1 CSF 2.0
16 CSF 1.1 CSF 2.0 5 Functions 6 Functions 23 Categories 22 Categories 108 Subcategories 106 Subcategories - 363 Implementation Examples
CSF 2.0 Pyramid 17 CSF Core: A taxonomy of high-level cybersecurity outcomes that can help any organization manage its cybersecurity risks. Its components are a hierarchy of Functions, Categories, and Subcategories that detail each outcome ā€¢ CSF Function: The highest level of organization for cybersecurity outcomes. There are six CSF Functions: Govern, Identify, Protect, Detect, Respond, and Recover ā€¢ CSF Category: A group of related cybersecurity outcomes that collectively comprise a CSF Function ā€¢ CSF Subcategory: A group of more specific outcomes of technical and management cybersecurity activities that comprise a CSF Category ā€¢ CSF Implementation Example: A concise, action- oriented, notional illustration of a way to help achieve a CSF Core outcome Functions: 6 Categories: 22 Subcategories: 106 Implementation Examples: 363
A CSF Organizational Profile describes an organizationā€™s current and/or target cybersecurity posture in terms of the Coreā€™s outcomes. Every Organizational Profile includes one or both of the following: ā€¢ A Current Profile specifies the Core outcomes that an organization is currently achieving (or attempting to achieve) and characterizes how or to what extent each outcome is being achieved. ā€¢ A Target Profile specifies the desired outcomes that an organization has selected and prioritized for achieving its cybersecurity risk management objectives. A Target Profile considers anticipated changes to the organizationā€™s cybersecurity posture, such as new requirements, new technology adoption, and threat intelligence trends. 18 Framework Profiles
19 Steps for Creating and Using Profiles Replaced 3.2 Establishing or Improving a Cybersecurity Program (CSF 1.1): Step 1: Prioritize and Scope, Step 2: Orient, Step 3: Create a Current Profile, Step 4: Conduct a Risk Assessment, Step 5: Create a Target Profile, Step 6: Determine, Analyze, and Prioritize Gaps, Step 7: Implement Action Plan
CSF Tier: A characterization of the rigor of an organizationā€™s cybersecurity risk governance and management practices. An organization can choose to use the Tiers to inform its Current and Target Profiles. New criteria for Tiers were presented in NIST CSF 2.0. 20 CSF Tiers: New criteria CSF 1.1 CSF 2.0 ā€¢ Risk Management Process ā€¢ Integrated Risk Management Program ā€¢ External Participation ā€¢ Cybersecurity Risk Governance ā€¢ Cybersecurity Risk Management ā€¢ Third-Party Cybersecurity Risks
21
22 Other publications: Quick Start Guides CSF 2.0 Organizational Profiles, Tiers, CSF 2.0 Community Profiles, C-SCRM Small Business, Enterprise Risk Managementā€¦ CSF Quick Start Guide: A supplementary resource that gives brief, actionable guidance on specific CSF-related topics.
23 Other publications: CSF 2.0 Informative References
24 Other publications: Implementation Examples (used as potential IS controls) CSF Implementation Example: A concise, action-oriented, notional illustration of a way to help achieve a CSF Core outcome.
25 www.patreon.com/posts/99269351
26 Significant Updates 1. Recognition of the broad use of the Framework (New Title and wider Scope) 2. New Function, Govern, and changes in the Categories and Subcategories 3. Increased guidance on CSF implementation (Profiles and Examples) 4. Emphasized cybersecurity supply chain risk management (C-SCRM) (see also NIST SP 800-161r1) 5. Clarified understanding of cybersecurity measurement and assessment (see also NIST SP 800-55) 6. Alignment (and integration) with other Frameworks and standards. (see also Cybersecurity and Privacy Reference Tool (CPRT) - https://csrc.nist.gov/Projects/cprt)
27 NIST CSF 2.0 vs ISO 27001:2002 www.patreon.com/posts/99367389
28 www.patreon.com/posts/99514167
29 EU NIS 2 Directive and NIST CSF 2.0 (mapping) www.patreon.com/posts/nis-2-directive-99440176
Thanks, and good luck! www.linkedin.com/in/andreyprozorov www.patreon.com/AndreyProzorov 30
If you have viewed my previous presentation, these markers will help you identify the differences between the draft and final versions of NIST CSF 2.0 31 New slide Changes No changes

Recommended

Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
Ā 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
Ā 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
Ā 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
Ā 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
Ā 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
Ā 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
Ā 
Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
Ā 

Recommended

Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
Ā 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
Ā 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
Ā 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
Ā 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
Ā 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
Ā 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
Ā 
Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
Ā 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST ā€“ What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST ā€“ What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST ā€“ What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST ā€“ What You Need to KnowPECB
Ā 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
Ā 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
Ā 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
Ā 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
Ā 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System SecurityCSSRL PUNE
Ā 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
Ā 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk AssessmentSmart Assessment
Ā 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
Ā 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesSlideTeam
Ā 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
Ā 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
Ā 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
Ā 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
Ā 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity AssessmentDoreen Loeber
Ā 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookMargarete McGrath
Ā 
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...Edureka!
Ā 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Ā 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
Ā 
ISO/IEC 27001:2022 ā€“ What are the changes?
ISO/IEC 27001:2022 ā€“ What are the changes?ISO/IEC 27001:2022 ā€“ What are the changes?
ISO/IEC 27001:2022 ā€“ What are the changes?PECB
Ā 
National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...MichaelBenis1
Ā 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
Ā 

More Related Content

What's hot

CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST ā€“ What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST ā€“ What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST ā€“ What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST ā€“ What You Need to KnowPECB
Ā 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
Ā 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
Ā 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
Ā 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
Ā 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System SecurityCSSRL PUNE
Ā 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
Ā 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk AssessmentSmart Assessment
Ā 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
Ā 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesSlideTeam
Ā 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
Ā 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
Ā 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
Ā 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
Ā 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity AssessmentDoreen Loeber
Ā 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookMargarete McGrath
Ā 
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...Edureka!
Ā 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Ā 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
Ā 
ISO/IEC 27001:2022 ā€“ What are the changes?
ISO/IEC 27001:2022 ā€“ What are the changes?ISO/IEC 27001:2022 ā€“ What are the changes?
ISO/IEC 27001:2022 ā€“ What are the changes?PECB
Ā 

What's hot (20)

CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST ā€“ What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST ā€“ What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST ā€“ What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST ā€“ What You Need to Know
Ā 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Ā 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
Ā 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Ā 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Ā 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System Security
Ā 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
Ā 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Ā 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
Ā 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Ā 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Ā 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Ā 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ā 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
Ā 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
Ā 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbook
Ā 
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
Ā 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
Ā 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Ā 
ISO/IEC 27001:2022 ā€“ What are the changes?
ISO/IEC 27001:2022 ā€“ What are the changes?ISO/IEC 27001:2022 ā€“ What are the changes?
ISO/IEC 27001:2022 ā€“ What are the changes?
Ā 

Similar to NIST Cybersecurity Framework (CSF) 2.0: What has changed?

National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...MichaelBenis1
Ā 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
Ā 
cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxMuhammadAbdullah311866
Ā 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Government Technology and Services Coalition
Ā 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018Open Security Summit
Ā 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkWilliam McBorrough
Ā 
INFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK Sultan
INFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK SultanINFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK Sultan
INFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK Sultancsandit
Ā 
CIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdfCIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdfLBagger1
Ā 
framework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxframework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxMuhammadAbdullah311866
Ā 
Project 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docxProject 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docxanitramcroberts
Ā 
Project 7 Organization Security PlanChoose an organization from.docx
Project 7 Organization Security PlanChoose an organization from.docxProject 7 Organization Security PlanChoose an organization from.docx
Project 7 Organization Security PlanChoose an organization from.docxwkyra78
Ā 
NIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NISTNIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NISTebonyman0007
Ā 
Microsoft_Cyber_Offerings_Mapped_to_Security_Frameworks_EN_US.pdf
Microsoft_Cyber_Offerings_Mapped_to_Security_Frameworks_EN_US.pdfMicrosoft_Cyber_Offerings_Mapped_to_Security_Frameworks_EN_US.pdf
Microsoft_Cyber_Offerings_Mapped_to_Security_Frameworks_EN_US.pdfVipulKumar221864
Ā 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
Ā 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
Ā 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureSuresh Kanniappan
Ā 
Analyze1. Foreign Stocka. Samsung Electronics LTD. (Korean St.docx
Analyze1. Foreign Stocka. Samsung Electronics LTD. (Korean St.docxAnalyze1. Foreign Stocka. Samsung Electronics LTD. (Korean St.docx
Analyze1. Foreign Stocka. Samsung Electronics LTD. (Korean St.docxjustine1simpson78276
Ā 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
Ā 

Similar to NIST Cybersecurity Framework (CSF) 2.0: What has changed? (20)

National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...
Ā 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
Ā 
cybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptxcybersecurity_framework_webinar_2017.pptx
cybersecurity_framework_webinar_2017.pptx
Ā 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Ā 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Ā 
Improving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity FrameworkImproving Cyber Readiness with the NIST Cybersecurity Framework
Improving Cyber Readiness with the NIST Cybersecurity Framework
Ā 
INFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK Sultan
INFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK SultanINFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK Sultan
INFORMATION SECURITY MATURITY MODEL FOR NIST CYBER SECURITY FRAMEWORK Sultan
Ā 
CIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdfCIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdf
Ā 
framework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptxframework_update_report-yer20170301.pptx
framework_update_report-yer20170301.pptx
Ā 
Project 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docxProject 7 - Organization Security PlanChoose an organization fro.docx
Project 7 - Organization Security PlanChoose an organization fro.docx
Ā 
Project 7 Organization Security PlanChoose an organization from.docx
Project 7 Organization Security PlanChoose an organization from.docxProject 7 Organization Security PlanChoose an organization from.docx
Project 7 Organization Security PlanChoose an organization from.docx
Ā 
NIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NISTNIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NIST
Ā 
Microsoft_Cyber_Offerings_Mapped_to_Security_Frameworks_EN_US.pdf
Microsoft_Cyber_Offerings_Mapped_to_Security_Frameworks_EN_US.pdfMicrosoft_Cyber_Offerings_Mapped_to_Security_Frameworks_EN_US.pdf
Microsoft_Cyber_Offerings_Mapped_to_Security_Frameworks_EN_US.pdf
Ā 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
Ā 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
Ā 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Ā 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
Ā 
Analyze1. Foreign Stocka. Samsung Electronics LTD. (Korean St.docx
Analyze1. Foreign Stocka. Samsung Electronics LTD. (Korean St.docxAnalyze1. Foreign Stocka. Samsung Electronics LTD. (Korean St.docx
Analyze1. Foreign Stocka. Samsung Electronics LTD. (Korean St.docx
Ā 
Risk Management Strategy (RMF v2)
Risk Management Strategy (RMF v2)Risk Management Strategy (RMF v2)
Risk Management Strategy (RMF v2)
Ā 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
Ā 

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001 (20)

pr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdfpr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdf
Ā 
ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)
Ā 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy Frameworks
Ā 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
Ā 
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal PurposesMy 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
Ā 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Ā 
ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdf
Ā 
How to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdfHow to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdf
Ā 
pr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdfpr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdf
Ā 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Ā 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Ā 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
Ā 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
Ā 
ISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdfISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdf
Ā 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
Ā 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
Ā 
Employee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdfEmployee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdf
Ā 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdf
Ā 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdf
Ā 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
Ā 

Recently uploaded

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
Ā 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...caitlingebhard1
Ā 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
Ā 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
Ā 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
Ā 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
Ā 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
Ā 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
Ā 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
Ā 
Elevate Developer Efficiency & build GenAI Application with Amazon Qā€‹
Elevate Developer Efficiency & build GenAI Application with Amazon Qā€‹Elevate Developer Efficiency & build GenAI Application with Amazon Qā€‹
Elevate Developer Efficiency & build GenAI Application with Amazon Qā€‹Bhuvaneswari Subramani
Ā 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
Ā 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseWSO2
Ā 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringWSO2
Ā 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
Ā 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
Ā 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
Ā 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
Ā 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
Ā 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
Ā 

Recently uploaded (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
Ā 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Ā 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
Ā 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Ā 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Ā 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
Ā 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
Ā 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
Ā 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Ā 
Elevate Developer Efficiency & build GenAI Application with Amazon Qā€‹
Elevate Developer Efficiency & build GenAI Application with Amazon Qā€‹Elevate Developer Efficiency & build GenAI Application with Amazon Qā€‹
Elevate Developer Efficiency & build GenAI Application with Amazon Qā€‹
Ā 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
Ā 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
Ā 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
Ā 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Ā 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Ā 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Ā 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
Ā 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
Ā 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Ā 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
Ā 

NIST Cybersecurity Framework (CSF) 2.0: What has changed?

  • 1. NIST CSF 2.0: What has changed? by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 www.patreon.com/AndreyProzorov 2.0, 02.03.2024
  • 2. Agenda 2 1. Journey To CSF 2.0 2. New Title 3. New Scope 4. What is the Framework? 5. Desired outcomes 6. Components of the Framework 7. Purpose 8. The new function (Govern) and changes in Categories and Subcategories 9. Framework Profiles 10. CSF Tiers: New criteria 11. Steps for Creating and Using Profiles 12. Other publications 13. NIST CSF 2.0 Mindmap 14. Significant Updates 15. NIST CSF 2.0 vs ISO 27001:2002 16. NIST CSF 2.0 and ISO 27001:2022 (mapping) 17. EU NIS 2 Directive and NIST CSF 2.0 (mapping)
  • 4. 4 Why is NIST deciding to update the Framework now toward CSF 2.0? The NIST Cybersecurity Framework was intended to be a living document that is refined, improved, and evolves over time. These updates help the Framework keep pace with technology and threat trends, integrate lessons learned, and move best practice to common practice. NIST initially produced the Framework in 2014 and updated it in April 2018 with CSF 1.1. Based on stakeholder feedback, in order to reflect the ever-evolving cybersecurity landscape and to help organizations more easily and effectively manage cybersecurity risk, NIST is working on a new, more significant update to the Framework: CSF 2.0. www.nist.gov/cyberframework/updating-nist-cybersecurity-framework- journey-csf-20
  • 5. 5
  • 7. 7 New Title CSF 1.1 CSF 2.0 Framework for Improving Critical Infrastructure Cybersecurity The NIST Cybersecurity Framework 2.0
  • 8. 8 New Scope (wider) NIST CSF 2.0 is designed to be used by organizations of all sizes and sectors, including industry, government, academia, and nonprofit organizations, regardless of the maturity level of their cybersecurity programs. The CSF is a foundational resource that may be adopted voluntarily and through governmental policies and mandates. The CSFā€™s taxonomy and referenced standards, guidelines, and practices are not country-specific, and previous versions of the CSF have been leveraged successfully by many governments and other organizations both inside and outside of the United States.
  • 9. 9 What is the Framework? The Cybersecurity Framework (CSF) 2.0 is designed to help organizations of all sizes and sectors ā€” including industry, government, academia, and nonprofit ā€” to manage and reduce their cybersecurity risks. It is useful regardless of the maturity level and technical sophistication of an organizationā€™s cybersecurity programs. Nevertheless, the CSF does not embrace a one-size-fits-all approach. Each organization has both common and unique risks, as well as varying risk appetites and tolerances, specific missions, and objectives to achieve those missions. By necessity, the way organizations implement the CSF will vary. Current revision: 2.0, February 26, 2024
  • 10. 10 Desired outcomes Ideally, the CSF will be used to address cybersecurity risks alongside other risks of the enterprise, including those that are financial, privacy, supply chain, reputational, technological, or physical in nature. The CSF describes desired outcomes that are intended to be understood by a broad audience, including executives, managers, and practitioners, regardless of their cybersecurity expertise. Because these outcomes are sector-, country-, and technology-neutral, they provide an organization with the flexibility needed to address their unique risks, technologies, and mission considerations. Outcomes are mapped directly to a list of potential security controls for immediate consideration to mitigate cybersecurity risks.
  • 11. 11 Components of the Framework (CSF 2.0) NIST CSF 2.0 includes the following components: ā€¢ CSF Core, the nucleus of the CSF, which is a taxonomy of high-level cybersecurity outcomes that can help any organization manage its cybersecurity risks. The CSF Core components are a hierarchy of Functions, Categories, and Subcategories that detail each outcome. ā€¢ CSF Organizational Profiles, which are a mechanism for describing an organizationā€™s current and/or target cybersecurity posture in terms of the CSF Coreā€™s outcomes. ā€¢ CSF Tiers, which can be applied to CSF Organizational Profiles to characterize the rigor of an organizationā€™s cybersecurity risk governance and management practices. Tiers can also provide context for how an organization views cybersecurity risks and the processes in place to manage those risks.
  • 12. 12 Purpose (CSF 2.0) An organization can use the CSF Core, Profiles, and Tiers with the supplementary resources to understand, assess, prioritize, and communicate cybersecurity risks. Understand and Assess Prioritize Communicate Describe the current or target cybersecurity posture of part or all of an organization, determine gaps, and assess progress toward addressing those gaps. Identify, organize, and prioritize actions for managing cybersecurity risks that align with the organizationā€™s mission, legal and regulatory requirements, and risk management and governance expectations. Provide a common language for communicating inside and outside the organization about cybersecurity risks, capabilities, needs, and expectations.
  • 13. 13 The new function (Govern) and changes in Categories and Subcategories
  • 14. 14 CSF 1.1 CSF 2.0 - Govern (GV): The organizationā€™s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored. Identify (ID): Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Identify (ID): The organizationā€™s current cybersecurity risks are understood. Protect (PT): Develop and implement appropriate safeguards to ensure delivery of critical services. Protect (PT): Safeguards to manage the organizationā€™s cybersecurity risks are used. Detect (DE): Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. Detect (DE): Possible cybersecurity attacks and compromises are found and analyzed. Respond (RS): Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. Respond (RS): Actions regarding a detected cybersecurity incident are taken. Recover (RC): Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. Recover (RC): Assets and operations affected by a cybersecurity incident are restored.
  • 16. 16 CSF 1.1 CSF 2.0 5 Functions 6 Functions 23 Categories 22 Categories 108 Subcategories 106 Subcategories - 363 Implementation Examples
  • 17. CSF 2.0 Pyramid 17 CSF Core: A taxonomy of high-level cybersecurity outcomes that can help any organization manage its cybersecurity risks. Its components are a hierarchy of Functions, Categories, and Subcategories that detail each outcome ā€¢ CSF Function: The highest level of organization for cybersecurity outcomes. There are six CSF Functions: Govern, Identify, Protect, Detect, Respond, and Recover ā€¢ CSF Category: A group of related cybersecurity outcomes that collectively comprise a CSF Function ā€¢ CSF Subcategory: A group of more specific outcomes of technical and management cybersecurity activities that comprise a CSF Category ā€¢ CSF Implementation Example: A concise, action- oriented, notional illustration of a way to help achieve a CSF Core outcome Functions: 6 Categories: 22 Subcategories: 106 Implementation Examples: 363
  • 18. A CSF Organizational Profile describes an organizationā€™s current and/or target cybersecurity posture in terms of the Coreā€™s outcomes. Every Organizational Profile includes one or both of the following: ā€¢ A Current Profile specifies the Core outcomes that an organization is currently achieving (or attempting to achieve) and characterizes how or to what extent each outcome is being achieved. ā€¢ A Target Profile specifies the desired outcomes that an organization has selected and prioritized for achieving its cybersecurity risk management objectives. A Target Profile considers anticipated changes to the organizationā€™s cybersecurity posture, such as new requirements, new technology adoption, and threat intelligence trends. 18 Framework Profiles
  • 19. 19 Steps for Creating and Using Profiles Replaced 3.2 Establishing or Improving a Cybersecurity Program (CSF 1.1): Step 1: Prioritize and Scope, Step 2: Orient, Step 3: Create a Current Profile, Step 4: Conduct a Risk Assessment, Step 5: Create a Target Profile, Step 6: Determine, Analyze, and Prioritize Gaps, Step 7: Implement Action Plan
  • 20. CSF Tier: A characterization of the rigor of an organizationā€™s cybersecurity risk governance and management practices. An organization can choose to use the Tiers to inform its Current and Target Profiles. New criteria for Tiers were presented in NIST CSF 2.0. 20 CSF Tiers: New criteria CSF 1.1 CSF 2.0 ā€¢ Risk Management Process ā€¢ Integrated Risk Management Program ā€¢ External Participation ā€¢ Cybersecurity Risk Governance ā€¢ Cybersecurity Risk Management ā€¢ Third-Party Cybersecurity Risks
  • 21. 21
  • 22. 22 Other publications: Quick Start Guides CSF 2.0 Organizational Profiles, Tiers, CSF 2.0 Community Profiles, C-SCRM Small Business, Enterprise Risk Managementā€¦ CSF Quick Start Guide: A supplementary resource that gives brief, actionable guidance on specific CSF-related topics.
  • 23. 23 Other publications: CSF 2.0 Informative References
  • 24. 24 Other publications: Implementation Examples (used as potential IS controls) CSF Implementation Example: A concise, action-oriented, notional illustration of a way to help achieve a CSF Core outcome.
  • 26. 26 Significant Updates 1. Recognition of the broad use of the Framework (New Title and wider Scope) 2. New Function, Govern, and changes in the Categories and Subcategories 3. Increased guidance on CSF implementation (Profiles and Examples) 4. Emphasized cybersecurity supply chain risk management (C-SCRM) (see also NIST SP 800-161r1) 5. Clarified understanding of cybersecurity measurement and assessment (see also NIST SP 800-55) 6. Alignment (and integration) with other Frameworks and standards. (see also Cybersecurity and Privacy Reference Tool (CPRT) - https://csrc.nist.gov/Projects/cprt)
  • 27. 27 NIST CSF 2.0 vs ISO 27001:2002 www.patreon.com/posts/99367389
  • 29. 29 EU NIS 2 Directive and NIST CSF 2.0 (mapping) www.patreon.com/posts/nis-2-directive-99440176
  • 30. Thanks, and good luck! www.linkedin.com/in/andreyprozorov www.patreon.com/AndreyProzorov 30
  • 31. If you have viewed my previous presentation, these markers will help you identify the differences between the draft and final versions of NIST CSF 2.0 31 New slide Changes No changes